Wi-Fi Sense Is a Wakeup Call for PSK Networks

Wi-Fi Sense Is a Wakeup Call for PSK Networks

June 23, 2015Adam

Wi-Fi Sense is a feature that has been around for a bit in the Windows phone environment, but will make its PC debut in Windows 10. In essence, it lets Windows users share Wi-Fi connections with each other. It’s an incredibly neat feature that presents… challenges for information security managers.

There are two parts to Wi-Fi sense. The first is enabled by default and lets you connect to Wi-Fi networks that your contacts have shared with you, bypassing any password prompts or captive portals. It even will automatically accept any terms of use that you would normally be prompted for (I guess people aren’t even pretending to read them anymore).

The options as they are set by default.

The second part (which is disabled by default) lets you share networks with your friends. Once enabled, you can choose to share networks with your Skype, Outlook, or Facebook contacts (they also have to have a version of Windows that supports it). You get to choose which networks you share, but not which friends they are shared with. It’s everyone or no one.

Once I opt-in, I can select which networks to share and with which contacts.

It’s pretty clear that this is all aimed squarely at public hotspots. You don’t need go through the steps of getting connection at any place one of your friends has already been. It will even fill out forms with dummy information if it has to register. A database in the cloud keeps track of known Wi-Fi connections and the Wi-Fi Sense users who have connected to it, using that information to steer devices towards the better known networks.

You actually have to know the password to share it. Notice I can’t share the Starbucks password since it’s a network that was shared to me. Note: This list of known networks is pulled from the cloud, so I can manage them on any Windows PC linked to my account.

There is also potential for use in any home of small business setting that relies on password-based wireless. Share your connection info with your contacts and let them connect automatically to your network when they are in range. The password and any other necessary credentials are downloaded from the cloud in an encrypted form (so the guests never actually see it), and networking features are strictly limited to internet access only. This actually has the potential of a low-fi guest access solution (of course only limited to the newest versions of Windows).

The Wake Up Call for Network Engineers

Of course, everything is not peaches and gravy. As always, connecting to open hotspots has security risks for the user. To their credit, Microsoft actually recommends using a VPN when doing so. But more importantly for network administrators, if you are still using any sort of PSK wireless security in an enterprise network, this should be your wakeup call.

It has long been known that distributing a single password for network access requires putting a lot of trust on every single user. But Wi-Fi Sense makes the task of sharing connections easier, to the point where users can even share access inadvertently.

The networks that I can’t share were either shared with me, captive portal, or 802.1X.

Right now, you can opt your network out by adding “_optout” to the end of the SSID. And Microsoft has done a fair bit of work to make sure this feature doesn’t create any glaring security holes. But there is no reason to believe that there won’t be other services like this in the future that takes the same concept and runs even further with it.

The Importance of 802.1X

A lot of people are up in arms that that this feature will ruin PSK networks. That would only be true if you were giving out passwords indiscriminatingly, in which case the PSK network was insecure to begin with. This changes nothing about existing trust models inherit to WPA2-Personal. If anything, Microsoft made a safer alternative for your users to share connections without putting the networks at risk.

Some people are complaining that users can’t choose who they share the networks with. As far as sharing public hotspots go, this is really a non-issue. besides, by the time you start adding user specific permissions and identifying them to networks, you’ll pretty much have an enterprise product on your hands.

All said and done, the implementation is actually pretty slick, but there’s no guarantee that it will catch on.

But I think a lot of people are really just having a hard time because the illusion of security is finally gone from WPA2-PSK. Again, the security has not actually been changed, but Microsoft is revealing what people really think of your password policy. A lot of people are unnecessarily dragging their feet on upgrading to 802.1X, despite the fact that it’s never been easier (*Cough * Cough* *hint * hint*).

What’s your take? We’d love to hear what you are still using WPA2-PSK for or what your worries about Windows 10 will be. Send us your thoughts at feedback@securew2.com.